應用於網路服務的資訊安全之研究

Abstract

近來台灣經濟體面臨到前所未有的競爭，促使產業型態由製造導向轉型為服務導向，企業不再只是仰賴便宜的勞動成本，來維持利潤，達到永續經營，進而需要依靠的是知識整合的能力；資訊架構亦相同，若不重視資訊的整合，僅止於解決狹窄範疇的問題，無法為企業創造利潤；資訊的整合則不僅僅是企業內部應用系統的整合，而是包括跨企業的電子商務整合。 推動跨企業的電子商務整合其中一個障礙，在於各應用層面之間資訊不易共享，因此『標準』對於電子商務資料交換處理是不可或缺的；除了標準以外，『資訊安全』也是一個必要條件，提供資訊的真確性(information integrity)、交易夥伴鑑別(authentication of trading partners)等信任機制環境，是電子商務系統不可或缺的一環，因此包含數位簽章等的資訊安全議題日趨重要。 透過了解相關全球電子商務組織及標準規格，發現企業從事跨企業或內部應用系統整合時可能會發生的問題。Web Services(網路服務)架構以XML(eXtensible Markup Language，可延伸標記語言)、SOAP(Simple Object Access Protocol，簡易物件存取通訊協定)、WSDL(Web Services Description Language，網路服務描述語言)、UDDI(Universal Description , Discovery ,and Integration，廣泛描述、探索與整合)等核心元件技術為基礎，利用可穿透防火牆的特性，讓應用程式在網際網路上提供服務，達到跨平台互通的目的，使得企業內的資訊整合也可以變成跨企業的整合。 雖然網路服務有諸多好處，但有些研究學者和先進，還是對於Web Services抱持著懷疑的態度，認為『安全性』是Web Services最大的問題，本篇論文即是討論這個議題。本論文於研究過程中，發現國內企業對於Web Services觀念，處於剛起步的階段，企業在希望Web Services帶來整合的契機之外，更加考慮安全性的問題。因此本論文提供一般基礎安全性模組，提供欲開發Web Services的企業內部資訊人員一個參考，在實際運用時可加入更複雜的權限機制，達到全面防護企業的資訊安全。

Taiwan’s economy faces increased global competition. Our industries must evolve from manufacturing to services driven by knowledge-based integration. Information frameworks must be redeveloped in the same manner. If an enterprise doesn’t value information integration then they are only able to solve narrow problems. One of the obstacles to services-oriented e-commerce was developed to share information. XML (eXtensible Markup Language) has evolved as the standard way to share data over the Internet. Web services technologies are based upon XML. Web services are the result of combining SOAP (Simple Object Access Protocol), WSDL (Web Services Description Language), and UDDI (Universal Description, Discovery and Integration) to create a foundation for e-commerce. Web services technology is based on the interoperation of many different software applications running on a variety of dispersed systems in a complex, multi-domain environment via the internet. During my research, I discovered that Web services in Taiwan are not mature. A key benefit of the emerging Web services architecture is the ability to deliver integrated, interoperable solutions. Beyond the previous foundation of protocols, security is a key consideration for Web services. Security is not only a prime requirement of e-commerce implementation, but also an important concern due to the fact that Web Services can penetrate through firewalls. A strategy for implementing Web Services can use pre-existing security infrastructure. Web services require an infrastructure to support authentication, authorization, confidentiality, integrity, and non-repudiation.